From: Jouni Malinen Date: Sun, 2 Jun 2019 13:38:17 +0000 (+0300) Subject: tests: New style fuzzing tool for EAP-SIM peer processing X-Git-Tag: hostap_2_9~188 X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fhostap.git;a=commitdiff_plain;h=23ddc7b810871edb8732f7ac43d825844c212308 tests: New style fuzzing tool for EAP-SIM peer processing Signed-off-by: Jouni Malinen --- diff --git a/src/eap_common/eap_sim_common.c b/src/eap_common/eap_sim_common.c index cfdd1bf4a..1e0f80879 100644 --- a/src/eap_common/eap_sim_common.c +++ b/src/eap_common/eap_sim_common.c @@ -945,10 +945,15 @@ u8 * eap_sim_parse_encr(const u8 *k_encr, const u8 *encr_data, if (decrypted == NULL) return NULL; +#ifdef TEST_FUZZ + wpa_printf(MSG_INFO, + "TEST: Skip AES-128-CBC decryption for fuzz testing"); +#else /* TEST_FUZZ */ if (aes_128_cbc_decrypt(k_encr, iv, decrypted, encr_data_len)) { os_free(decrypted); return NULL; } +#endif /* TEST_FUZZ */ wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Decrypted AT_ENCR_DATA", decrypted, encr_data_len); diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c index b60577b7d..c4070ab33 100644 --- a/src/eap_peer/eap_sim.c +++ b/src/eap_peer/eap_sim.c @@ -799,8 +799,13 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm, EAP_SIM_NONCE_MT_LEN)) { wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message " "used invalid AT_MAC"); +#ifdef TEST_FUZZ + wpa_printf(MSG_INFO, + "TEST: Ignore AT_MAC mismatch for fuzz testing"); +#else /* TEST_FUZZ */ return eap_sim_client_error(data, id, EAP_SIM_UNABLE_TO_PROCESS_PACKET); +#endif /* TEST_FUZZ */ } /* Old reauthentication identity must not be used anymore. In @@ -959,15 +964,27 @@ static struct wpabuf * eap_sim_process_reauthentication( { wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication " "did not have valid AT_MAC"); +#ifdef TEST_FUZZ + wpa_printf(MSG_INFO, + "TEST: Ignore AT_MAC mismatch for fuzz testing"); +#else /* TEST_FUZZ */ return eap_sim_client_error(data, id, EAP_SIM_UNABLE_TO_PROCESS_PACKET); +#endif /* TEST_FUZZ */ } /* At this stage the received MAC has been verified. Use this MAC for * reauth Session-Id calculation if all other checks pass. * The peer does not use the local MAC but the received MAC in deriving * Session-Id. */ +#ifdef TEST_FUZZ + if (attr->mac) + os_memcpy(data->reauth_mac, attr->mac, EAP_SIM_MAC_LEN); + else + os_memset(data->reauth_mac, 0x12, EAP_SIM_MAC_LEN); +#else /* TEST_FUZZ */ os_memcpy(data->reauth_mac, attr->mac, EAP_SIM_MAC_LEN); +#endif /* TEST_FUZZ */ wpa_hexdump(MSG_DEBUG, "EAP-SIM: Server MAC", data->reauth_mac, EAP_SIM_MAC_LEN); diff --git a/tests/fuzzing/eap-sim-peer/Makefile b/tests/fuzzing/eap-sim-peer/Makefile new file mode 100644 index 000000000..302717e95 --- /dev/null +++ b/tests/fuzzing/eap-sim-peer/Makefile @@ -0,0 +1,21 @@ +all: eap-sim-peer +include ../rules.include + +CFLAGS += -DIEEE8021X_EAPOL +CFLAGS += -DCONFIG_SIM_SIMULATOR + +OBJS += $(SRC)/eap_peer/eap_sim.o +OBJS += $(SRC)/eap_common/eap_sim_common.o +OBJS += $(SRC)/eap_common/eap_common.o +LIBS += $(SRC)/crypto/libcrypto.a +LIBS += $(SRC)/utils/libutils.a + +eap-sim-peer: eap-sim-peer.o $(OBJS) $(LIBS) + $(Q)$(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS) + @$(E) " LD " $@ + +clean: + $(MAKE) -C $(SRC) clean + rm -f eap-sim-peer *~ *.o *.d ../*~ ../*.o ../*.d + +-include $(OBJS:%.o=%.d) diff --git a/tests/fuzzing/eap-sim-peer/corpus/server.msg b/tests/fuzzing/eap-sim-peer/corpus/server.msg new file mode 100644 index 000000000..adb9f6c6f Binary files /dev/null and b/tests/fuzzing/eap-sim-peer/corpus/server.msg differ diff --git a/tests/fuzzing/eap-sim-peer/eap-sim-peer.c b/tests/fuzzing/eap-sim-peer/eap-sim-peer.c new file mode 100644 index 000000000..ce701f3a0 --- /dev/null +++ b/tests/fuzzing/eap-sim-peer/eap-sim-peer.c @@ -0,0 +1,124 @@ +/* + * EAP-SIM peer fuzzer + * Copyright (c) 2019, Jouni Malinen + * + * This software may be distributed under the terms of the BSD license. + * See README for more details. + */ + +#include "utils/includes.h" + +#include "utils/common.h" +#include "eap_peer/eap_methods.h" +#include "eap_peer/eap_config.h" +#include "eap_peer/eap_i.h" +#include "../fuzzer-common.h" + +int eap_peer_sim_register(void); + +struct eap_method * registered_eap_method = NULL; + + +struct eap_method * eap_peer_method_alloc(int version, int vendor, + EapType method, const char *name) +{ + struct eap_method *eap; + eap = os_zalloc(sizeof(*eap)); + if (!eap) + return NULL; + eap->version = version; + eap->vendor = vendor; + eap->method = method; + eap->name = name; + return eap; +} + + +int eap_peer_method_register(struct eap_method *method) +{ + registered_eap_method = method; + return 0; +} + + +static struct eap_peer_config eap_sim_config = { + .identity = (u8 *) "1232010000000000", + .identity_len = 16, + .password = (u8 *) "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581", + .password_len = 65, +}; + +struct eap_peer_config * eap_get_config(struct eap_sm *sm) +{ + return &eap_sim_config; +} + + +const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len) +{ + static const char *id = "1232010000000000"; + + *len = os_strlen(id); + return (const u8 *) id; +} + + +void eap_set_anon_id(struct eap_sm *sm, const u8 *id, size_t len) +{ +} + + +void eap_sm_request_identity(struct eap_sm *sm) +{ +} + + +void eap_sm_request_sim(struct eap_sm *sm, const char *req) +{ +} + + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + const u8 *pos, *end; + struct eap_sm *sm; + void *priv; + struct eap_method_ret ret; + + wpa_fuzzer_set_debug_level(); + + eap_peer_sim_register(); + sm = os_zalloc(sizeof(*sm)); + if (!sm) + return 0; + priv = registered_eap_method->init(sm); + os_memset(&ret, 0, sizeof(ret)); + + pos = data; + end = pos + size; + + while (end - pos > 2) { + u16 flen; + struct wpabuf *buf, *req; + + flen = WPA_GET_BE16(pos); + pos += 2; + if (end - pos < flen) + break; + req = wpabuf_alloc_copy(pos, flen); + if (!req) + break; + wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - request", req); + buf = registered_eap_method->process(sm, priv, &ret, req); + wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - local response", buf); + wpabuf_free(req); + wpabuf_free(buf); + pos += flen; + } + + registered_eap_method->deinit(sm, priv); + os_free(registered_eap_method); + os_free(sm); + + return 0; +}